TeamTNT Continues to Target Exposed Docker API
released on 2021-10-26 @ 10:04:56 AM
Lacework Labs recently caught a new TeamTNT Docker image posing as an Apache server targeting exposed Docker APIs in the wild. Upon successful deployment, the Docker image titled “apache” from Docker hub account “docker72590” creates a crontab entry that regularly executes and downloads additional payloads from hXXP://crypto[.]htxrecieve[.]top.
At the time of this blog post, the Docker image has 1,900 pulls and has been active under this account since August of 2021.